2

I am trying to understand how SSL works. My understanding is, after you reach the server the first time (say https://www.google.com), the server sends you its public key. Your browser then checks to ensure this public key is valid (not expired, etc) and legit; the latter is done by checking it with the root CA, to ensure the signature of the public key matches what the CA has on the record. If it all checks out, then your browser will encrypt everything using that public key, and only the server can decrypt it (because only the server has the private key).

Now, think of an elaborate man-in-the-middle attack: every time my browser tries to check the CA, the middle server will reroute my request not to the CA, but to another server. That server verifies any signature! That way, even if I get the wrong certificate, my browser will not know. Which means my ISP can send me fake certs and eavesdrop my connection, for instance.

The safe-guard against this (and correct me if I am wrong) is that to check the cert with the CA, the browser establishes a SSL connection to the CA, but this time it doesn't need to verify the public key it gets from the CA; it knows the correct public keys for all CAs.

But how can I know if someone hasn't installed a fake certificate for a fake CA on my computer? How can I know that every time I upgrade my browser, something malicious is not being installed as well?

Merik
  • 2,767
  • 6
  • 25
  • 41
  • 1
    This is not a programming question, and isn't really on-topic here. You'd probably have better luck on [security.se], but I'd certainly do a thorough search there before posting. I'm about 99% sure it will have been asked before. You might have done that here as well; look at the list of related questions to the right of yours (below the job ads), the very first of which asks about how SSL certificates are verified. – Ken White Jan 29 '16 at 00:28
  • 2
    Possible duplicate of [How are ssl certificates verified?](http://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified) – Thilo Jan 29 '16 at 00:31

2 Answers2

7

That is not how certificate validation works.

It is an offline process. The CA is not contacted. Instead, the server certificate contains a signature by the CA. This signature is validated using a CA certificate that is built into the browser (or the OS).

You can check the list of trusted root certificates in your browser settings.

how can I know if someone hasn't installed a fake certificate for a fake CA on my computer?

Well, that would be a concern. And it fact, this does happen. Some companies routinely install fake root certificates on machines they issue to employees in order to allow them to intercept HTTPS connections. Some virus scanners and firewall products also work that way.

If you are worried about that you need to lock down your system.

How can I know that every time I upgrade my browser, something malicious is not being installed as well?

Same thing. You download software from Mozilla, Microsoft, Apple, Google or Opera, and you have to trust them. At least make sure you get the software from the official channels (not on some USB you found it the street).

Thilo
  • 257,207
  • 101
  • 511
  • 656
6

My understanding is, after you reach the server the first time (say https://www.google.com), the server sends you its public key.

No. It sends you its certificate, and it does so every time (ignoring SSL session resumption).

Your browser then checks to ensure this public key is valid (not expired, etc) and legit;

No. It does that to the certificate. Public keys alone don't have expiry dates, digital signatures, etc., to check.

the latter is done by checking it with the root CA, to ensure the signature of the public key matches what the CA has on the record.

No. It is done by checking whether the signer (issuer) of the certificate is already trusted by the local installation's set of CA certificates. There is no contact with the issuing CA.

If it all checks out, then your browser will encrypt everything using that public key, and only the server can decrypt it (because only the server has the private key).

No. This is misinformation, fairly frequently repeated, always wrong. SSL uses a symmetric session key negotiated via a key-agreement protocol. If what you said was true, SSL could only communicate securely in one direction, and it would be as slow as a wet week.

Now, think of an elaborate man-in-the-middle attack: every time my browser tries to check the CA, the middle server will reroute my request not to the CA, but to another server. That server verifies any signature! That way, even if I get the wrong certificate, my browser will not know. Which means my ISP can send me fake certs and eavesdrop my connection, for instance.

As there is no communication with the CA, there is no such attack.

The safe-guard against this (and correct me if I am wrong) is that to check the cert with the CA, the browser establishes a SSL connection to the CA, but this time it doesn't need to verify the public key it gets from the CA; it knows the correct public keys for all CAs.

No. No safeguard required. See above.

But how can I know if someone hasn't installed a fake certificate for a fake CA on my computer? How can I know that every time I upgrade my browser, something malicious is not being installed as well?

You don't.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • But if a new root CA or intermediate CA opens up, how can browsers use it? Only through a local upgrade installing the public key and certificate of that new CA? – Merik Dec 09 '16 at 21:32
  • @Merik Not necessarily. If the new CA's certificate is signed by one of the already-trusted roots nothing further is required. – user207421 Mar 19 '17 at 23:56